SpamSlayer - should we DDOS spammers?

pointbeing writes "Just read this article about a company called Blue Security that essentially floods a spammer's website with requests to unsubscribe members - we're talking thousands of requests per day - the company's CEO says that fighting back by "inducing loss" against spammers is the only way to eventually stop them. Although I hate spam as much as the next guy, is participating in a DDOS attack the way to bring spammers to their knees? If it's okay in this instance, it it okay to DDOS the next guy who does something we don't like? "

Sounds like a lawsuit waiting to happen...

[Iphtashu Fitz]

All it'll take is one spammer to file a lawsuit against these guys to stop them dead in their tracks.

Easy profit

[rockclimber]

1. Spam in Name of Competitor 2. ? 3. PROFIT

I remember when this debate started

[AEton]

A couple of guys told everyone on Usenet about their latest green card scheme.

Should we bomb them into oblivion?

Or should we listen to the voice of reason and tolerate this behavior as a necessary evil, integral to the total freedom of the global Internet?

Sometimes I think we chose wrong.

Re:Sophistry at its finest...

[YomikoReadman]

While it's certainly true that DDoS attacks are illegal, and that there is a precedence that sets these types of things firmly in the illegal category, I personally think that we should reexamine them. Set a statute that allows DDoS attacks against known spam hosts and the like.

Ultimately, all this soft CANSPAM style BS needs to stop, and tougher measures need to be brought up to speed.

It's just communication

[Anonymous Coward]

If you contact me, then IMHO you have agreed to accept my answer, which may consist of more than you expected. Want to stop it? Stop contacting me. Yes, I am aware that this might hurt "innocent" owners of compromised machines. If they can't handle what their machines start, then they're free to take them offline.

Re:Sophistry at its finest...

[interiot]

How do you define DDOS? If spammers send millions of emails in a day to AOL, does that constitute a DDOS against AOL? If large ISPs automatically send an unsubscribe response for each spam they get, and the total bandwidth is less than what the spammer originally sent, does that constitute a DDOS? Is it a DDOS if the large ISP's intent in doing this is to shut the spammer down?

This has been going on for years

[RingDev]

This is a common practice. I did some consulting work for a co-owner for one of the early email harvesting/organizing/sales/distrobution companies. (Not on his evil project though) He went through 6 IPs that year. Basicly, DDOSers would attack the entire node he was on, not just him, they would threaten the ISP. The ISP looks at the profit potential of one company, versus the cost of losing all of their customers and would boot him off their grid.

All in all a pita for him. But the thing that will shut down a spammer... Charge Backs. Anyone who deals with online sales and credit cards knows that the quickest way to lose your online sales abaility is to have a few people return their goods and demand their money back. CC companies hate this, and if you get more then a few over a year, you can bet your account is going to get revoked. And getting an ISP is a hell of a lot easier than getting a CC carrier.

-Rick

Collateral Damage

[Zane Hopkins]

But how do you correctly identify which sites to target. It will probably cause even more collateral damage than dns block lists.

Fighting fire with fire usually results in damage to both sides (friendly fire anyone?)

Re:Two wrongs don't make a right

[$RANDOMLUSER]

The problem is the spammers are operating through zombie PC nets and open proxies. The actual (end) senders of the spam are usually unaware that they're sending it. Meanwhile, spamvertising is an inherently low margin operation. By costing the spamvertised site more hosting costs, you're taking away thier incentive to hire the criminal spammers who we can't catch anyways.

Imagine if drug dealers were invisible, but drug buyers glowed in the dark.

It depends on the timing.

[RealProgrammer]

If you catch someone in the act of doing harm to you or to someone else, don't wait. Act. Stop the harm being done, or being threatened.

It may be necessary, in the process of stopping the harm, to inflict harm on the attacker. Take care that your response isn't more harmful than that which had been threatened.

Failing to act in that circumstance is at best a reverse tragedy of the commons, in the general case laziness, and at worst is sheer cowardice.

After the fact it becomes mere revenge, which is a waste of time.

Re:Hate to break it to you, but

[germanStefan]

I think the best way to combat spam is with effective server side anti-spam solution, but still delivering it just tagged as *SPAM* what they then do wiht it is up to them. If someone wants to get penis creme to get the biggest "cum shots to impress their wife"(pardon my language...just reading from my last spam message). Its not up to me as an admin of a small hosting company to do anything. I wont attack those sending me spams, and its not my job to block people from getting what they want. I don't think spam is such a pain as a well trained (more than 10000 spams and hams) spamassassin or other bayesian filter should get reasonably good.

Also I set up a catch all for my clients. They sign up at websites as @domain.com. Then if that domain starts sending spams we add as an alias to the spam@domain.com. This has helped a great deal as people's primary e-mail accounts remain hidden behind the catch all. And it require almost no work for the clients. They can send me a quick note or add it through their "control panel" blacklist...

What do other slashdotters do that are admin's for hosting companies or midsize-big companies? I would be interested

Wait a second

[Marc2k]

How long before the RIAA gets permission to DDoS file-sharers, or entire P2P networks?

Didn't...this already happen? I can't find an article offhand (Googling mostly gives back results about the RIAA website getting DOSd. I'm not sure of the outcome, but I do know that a few years ago, the RIAA sought amnesty from laws regarding DOS attacks, so that they could DOS "known pirates". I'm not sure if they were ever granted anything relating to this though..but judging by the fact that I can't find anything relating to the subject, I'd guess that nothing ever came of it.

Re:It depends on the timing.

[ScentCone]

After the fact it becomes mere revenge, which is a waste of time

Unless it can be shown that he's in the habit of continuing to do it. Taking him out after an event is pre-emptive and self defense against the inevitable next event. It's the same reason that some women who kill their wife-beating husbands in their sleep are acquitted of murder.

Do-Not-Intrude Registry Service

[guyro]

There is no doubt that DDoS is an illegal and immoral action. As a security company we are the first to recognize that and live by that rule.

Blue Frog clients do not arbitrarily perform DDoS on spam sites. They complain about specific spam messages received in mailboxes belonging to our users. Our users exercise their right to complain about the spam they receive. They are merely responding to invitations to the spammer's website.

The Blue Frog enters the site and sends a complaint just as a user would do manually. It does not consume more resources from the site or from its ISP than a user could do manually. Many users have tried sending complaint to spammers at some point requesting to unsubscribe. We merely allow the users to do it in a safe and automated manner.

Our goal is to force spammers to comply with the Do-Not-Intrude Registry - to clean out our users' addresses from their mailing lists. When they do so, they will not receive even one single complaint from community members.

We perform thorough manual (human) validation on the spam messages we act upon, to prevent Joe Jobs and to make sure we minimize any possible impact on third parties.

Guy Rosen
Blue Security, Director of Operations
http://www.bluesecurity.com/ [bluesecurity.com]

Re:Sophistry at its finest...

[TooncesTheCat]

What constitutes a DOS period. I mean come on, its the most simple attack that can be done. Its quite effective, and so simple that a DOS can be anything that doesnt tickle the attackee's funny bone. If the anti-spammers were to get a bunch of people to download a program that basically requested the spammers domain / website over and over is that considered a DOS attack? Anything can be considered a DOS attack if you think about, hell the slashdot effect could be considered a DOS attack if you really want to get literal. I would like to see how and when the courts decide what a malicious bandwidth eating attack is really.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Sophistry at its finest...

[stickyc]

Personnally, I prefer to submit only one single unsubscribe request. My email address just happend to be ...:
'or'test@yahoo.com'like'%
If the spammer uses sequel sewer or access rather than a real database, this will wipe their address list squeaky clean!

At which point, the spammer gets to sue you for business damages due to lost potential revenue? The best part is, they can scale the damages based on thier potential lost revenue (IE - the bigger the spammer, the more they can hold you liable for).

Re:Sophistry at its finest...

[femtoguy]

I think that the best idea is not to do DDOS, but something even more useful. If everyone chooses a fake set of personal credentials (name, phone number and whatever else) and then responds with the fake information, that will shut down the spammers in a hurry. Instead of sending out 10,000,000 e-mails and getting 10 promising leads, they will get 10 promising leads and 999,990 fake names and addresses.

Re:Sophistry at its finest...

[TripMaster Monkey]

I'm not oversimplifying at all here. The difference between Blue Security's strategy and a Slashdotting is one of intent. Slashdotters don't intend to take down the site they are trying to view. Blue Security, however, has openly admitted that their strategy is designed to cripple spammers' web sites. While the actual content of Blue Security's traffic consists of perfectly valid unsubscribe requests, the fact remains that the primary objective is to bring spam websites to their knees through sheer volume...the precise definition of a DDOS attack.

I hate spam as much as the next guy, but vigilantism such as this will only make a bad situation worse.

Re:Sophistry at its finest...

[Anonymous Coward]

Reloading doesn't help unless you set the cache to zero. Which you can't do in IE. Also keep in mind that broadband isps, as well as AOL and Netzero cache at the ISP level.

The best bet is to proxy & fill out their forms "several" times. That jackass last week who was getting his porn spam past all our filters (the guy who would send seven spams in a row inside of a minute) was vulnerable to this. If you fill out his order form with realistic junk you would even get access to his content page... because he didn't charge the card, just checked the lum... not that there was much content... not that I would know firsthand.

Now if you insist on reloading there are tools. On download.com you can get a freeware prog based on IE4 called Refresher. It can be set to auto-reload a website every seven seconds. Make sure you add a ?and a few hundred extra characters to the end of the URL to make his access log especially long and time consuming to download. But like I said it may only be useful if you have a t1 or better. There are tools on sourceforge to flood forms, or you can just use a key macro program and a spare computer to work his form overnite.

I advocate this because it works, not preaching from any moral position. The $59 home business spammers are knocked out immediately and permanently if only ONE guy does this, while the big box spammers implement all kinds of defense -- javascript form checks (just turn off javascript) etc etc that make their order page difficult and annoying and actually end up costing them legit orders... because they can't stand being spammed with bogus orders.

I see...

[rpdillon]

...a lot of people taking the moral "high ground" on this one and deriding these types of tactics. Let me draw another picture:

Rather than taking an offensive stance, let design a system that runs in a distributed way (a network) that can detect a particular spam email as it is sent out to millions of addresses. Then, merely in response to that event, the nodes on the network coordinate to create an automated reply to unsubscribe from that piece of email.

Now, I am sure there are those among you that would argue that this is a DDoS type approach. And it is. Except I think you'd stand a very good chance in court (if it ever even made it that far) of arguing that is perfectly legal. Spamming is illegal, and they are required to provide a link to unsubscribe. In the case that they do not, some nodes on the network could sleuth down the appropriate address to send the request to and provide it to other nodes. Thus, the network would never initiate an attack, it would merely recognize and respond (using the channels provided for in law) to the emails that are sent out. Sure, the end effect would be a DDoS, but so is a Slashdotting - and that isn't illegal.

I haven't done my homework on the wording of the law that makes a DDoS illegal (besides, in whose jurisdiction is it illegal?), but there are so many DDoS-like events on the web that the law cannot make them ALL illegal, and if Slashdotting is OK, I'm sure the scheme outlined above would be OK, too.

Re:Sophistry at its finest...

[PlusFiveTroll]

As someone thats been hit by a joejob before. This article is exactly what happend to us. Someone sent out hundreds of thousands of emails with our advertizement in them to people that were not on our mailing list. We did not authorize it, and there was not any way we could stop it either! Someone called directnic and had our domain turned off, we got it back on with in a few hours. Then after that a DDOS started against our site and lasted for days. Then the spam and ddos stopped just as fast as it began, and no we dont sell commonly spammed products on our site.

Fight Back.

[qualico]

As I watch my server crawl with thousands of spam smtp requests on one screen and read this story on another...I think, let the war begin!

Now sending floods to unsubcribe lists, is not the way to be doing it however.

The attacks should be directed at the injecting IP.

In the example below, I direct a ping flood to: 219.86.51.137
Further, you could parse the body for the web sites actually hosting the spam.

As well, you can have scripts automatically send notifications to blacklisters and abuse departments of the upstream providers.
net.tw ---> http://www.pigo.cn/index.htm [www.pigo.cn] gets abuse complaint.
(Now if I could only write in chinese)

Further, you could hack the injecting box:
Starting nmap 3.55 ( http://www.insecure.org/nmap/ [insecure.org] ) at 2005-07-18 10:40 MDT
Interesting ports on 219-86-51-137.dynamic.tfn.net.tw (219.86.51.137):
(The 1658 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
135/tcp filtered msrpc
1025/tcp open NFS-or-IIS

Looks like some juicy ports.

Example Spammer Header:
>From ahzu6.j93m6@yahoo.com Mon Jul 18 10:22:54 2005
Return-Path:
Received: from 142.127.184.144 (219-86-51-137.dynamic.tfn.net.tw [219.86.51.137])
by ns.qualico.ca (8.9.3/8.8.7) with ESMTP id KAA23411;
Mon, 18 Jul 2005 10:22:54 -0600
Message-Id:
From: =?Big5?B?dzahuTahuTYyMzo1MjoyMQ==?=
Subject: =?Big5?B?GwgYsdAUsXoVvHYCpPkDsMURv+gIIRMhEggI?=
T o: "uzhl"
Content-Type: text/html;
charset="BIG-5"
Sender: "w66623:52:21"
Reply-To: ahzu6.j93m6@yahoo.com
Date: Mon, 18 Jul 2005 23:55:06 +0800
X-MimeOLE: Produced By Mircosoft MimeOLE V6.00.2600.0000

Re:What shall we do?

[fermion]

I find many of these responses very interesting. I mean, what can we do? We can call the police, but if no law has been broken, or if no person can be found, then they can do nothing. We can call our congress people and ask for help, but they say that the industry can regulate itself, and any laws would be unfair to an industry that 99% honest. Anyway, improper behavior can be managed by existing laws. So we go to the plaintiff lawyers, but they say the government regulations on filing and limits on compensation means that there is no money to be made, so the case cannot be taken. And we should not sue because the spamers are perfectly free to sue us using the established and unregulated machinery of the corporate lawyer. The machinery that would sign a letter stating that a tax dodge is legal, knowing full well it is not.

So, what is left. Fighting back. Having a bunch of people loading the web site promoted by the spam, which is not so bad, as if the email was spent, a response is to be expected. Or perhaps every person calling the location the spam is promoting. But that would be so unfair, the republicans with high school mentalities protest. The firm may not have known that spam was going to be used. They are just trying to run an honest operation, and the email is just advertising. If you don't like it, ignore it. There is no reason to make trouble for the poor employees at the front desk, who will just lose their jobs if the firm goes down. Think of the children.

So, we are left as sheep, hoping the shepherd will save us. But we have learned first the sheep, then the shepherd. Even so it would be so unfair to do anything that might infringe on the inalienable and self evident right to make money using any means necessary.

Re:Sophistry at its finest...

[et764]

I've read about some micropayment schemes as a way of combatting spam. The idea is that spam basically costs the spammers nothing, so you add a computational cost to it. When you a mail client connects to the mail server and requests to send a message, the server responds "Okay, but first you have to give me the answer to this computational problem." It would be some problem that's relatively difficult to solve, but easy to check so the server doesn't incur a huge cost giving these out. It'd be a small cost, so it's hardly noticeable for legitimate e-mails, but when sending bulk e-mails, the spammers would at least be forced to buy a very powerful computer to solve all of these payment problems.

Re:Sounds like a lawsuit waiting to happen...

[wkcole]

Read about the clean hands doctrine and get back with us.

Read up on the history of the Church[spit] of Scientology's lawsuits and of the lawsuits that were filed against MAPS in 2000 by spammers and get back with us.

One thing LRH got right: lawsuits under the US system are not all about who is right or about wins in court. They are often about which side can inflict the most damage on its opponent by careful strategic pursuit of the lawsuit.

Bad idea.

[Quixadhal]

I don't hate spam for the same reasons most people hate spam. I suspect most people are just annoyed with the deluge of crap that ends up in their inbox. I don't care, it gets filtered out 80% of the time and it takes me about a minute each morning to click the "yes, that's spam too" button in thunderbird.

What *I* hate about spam is the fact that there's so much of it that it accounts for a good measurable percentage of the total traffic on the net. Think about it. Spam is usually small messages, sent to thousands of recipients all over the world. So every bit of spam branches out from the spammers local mail relay and induces a small amount of traffic to a great many parts of the network.

There are lots of spammers. They send lots of spam to lots and lots of people. That makes up a huge collection of packets that have to be routed all over the globe, all day long. I heard a figure somewhere saying it might be as high as 60% of total traffic.

My ping times to various game servers are seldom better than 70ms, and quite often over 100ms. I'm willing to bet that if all that crap weren't being flushed all over the net, the overall latency would drop by a good 20ms.

(Don't get me wrong, I'd rather have a nice T3 and be high enough up to not have the extra latency to begin with... but... I can only hold my breath so long.)

Using DDoS attacks against them would just induce even more garbage onto the network, and make it even slower.

The "right" way to deal with it is to (a) change the SMTP protocol so it requires some form of identification (perhaps a public key signature) -- if I don't recognize the caller-id on my phone, it goes to voicemail, why should email be different?, (b) go back to batch processing of email -- why do you NEED email to get there in 30 seconds, use an IM for real-time. Let mail servers send mail every 4 hours so at least that end can be more efficient. Use compression while you're at it. And (c) make spamming a crime, punishable by firebombing of the offenders house *grin*. If (a) happens, it should be possible to locate the spammer's property and eliminate it. That would remove the incentive for spamming, since all that "hard-earned" money would be lost.

or...

[corpsiclex]

we could make a thunderbird/evolution/etc plugin that automatically wgets all the links in a message flagged as junk a few times. if enough people decide the email is unwanted, the problem takes care of itself. this is a bit of an added safeguard because its sort of a vote rather than one person or company deciding what is spam and what is not.

invalid on its face

[maxpublic]

There is no law on the internet. Some countries punish spammers via the law but this only works for spammers within the borders of those countries, or reciprocating countries, and only if the spammer is actually caught. Crime prevention on the internet has been a laughable exercise in futility from the get-go regardless of the 'high-profile' cases touted about as a bizarre metric of success.

You're dealing with a system that really doesn't give a shit what the law is in any one country, or any one group of countries. And since only the insane among us want a world government, that leaves with the question of what to do when law enforcement is essentially ineffective. Which it has been, and will be, no matter what laws the U.S. decides to pass or what the penalties are. U.S. law, after all, stops at U.S. borders.

So long as there are countries that'll host spammers there'll be mountains of spam to contend with.

If the law can't control the problem, what does that leave you? Seems to me that vigilantism doesn't sound so bad when the alternative is "bend over and grab your ankles".

Max

Its a great idea!

[heybo]

I am always suprised at the out cry to protect spammers from DDOS attacks or rejecting mail back to them on this site. It would seem that the people here would be more likely to understand this is a viable method to keep spammers down.

I know most of you are too young to remember the old days of the Internet but before DDOSing was illegal this was the method to stop spammers. That and brute force attacks aginst their servers. If you where a spammer then you were an open target.

This worked too. Spam increased only after the laws pretaining to network attacks came into effect.

I I guess that if someone breaks into your house watches your TV and eats all your food this is ok as long as they don't carry anything out. Still your left with the electric bill for running the TV and now you also have another mouth to feed. Guess your made of money. Well I am not and if you break in here you will be dealt with accordly and I will call the Cops only to come and carry away your corpse.

So if you stick your hand in my pocket to take my money and I cut off your hand am I the bad guy for cutting you? If you hadn't put your hand in my pocket in the first place I would have never hurt you. This is the same thing spammers stick their hands in my pocket everytime they send their shit. So if I cut off their hand by DDOSing them am I wrong? Personally I don't think so.

Remember THEY contacted me first.

The laws are no good. Ever called the FTC about this? Even being a ISP they will not presue your case. Their only answer is send us an email. Even when you have a mountian of evidence against them. Laws aren;t worth the paper it is written on if they are not enforced and the CAN-SPAM Act is just an illusion to appear that the goverment is doing something about it.

OK guys you can flame me now....

out of band attacks

[0111 1110]

I am fence sitting on this one. I joined the site and downloaded the blue frog client and may use it if only because my one computer isn't enough to make any difference in internet traffic by itself anyway. In this kind of war no one soldier makes much of a difference to the outcome.

However I am concerned about starting a large scale netwar with the spammers, effectively shutting down the internet. This is essentially what happened for me locally during the whole makelovenotspam fiasco. The spammers faught back with everything they had. It was not pretty. Also, as a rabid e-pirate complete with parrot and eye patch, I am concerned that the war could be an excuse for RIAA/MPAA sponsored attacks as well. The fact is that the internet is a very fragile system which can be easily broken. Some people are arguing that maybe it should be until our governments are willing to pass enforceable spam laws with actual teeth. But I'm not so sure I'd be willing to go that far.

I think a better long term system would be to get large groups of people to join an anti-spam organization which would accept donations and membership dues or whatever to fight against companies that advertise with spam in the real world. Something like a shady, vigilante, version of the EFF. The idea would be to hurt and put out of business companies that advertise with spam as much as possible. Moebius faxes, war dialing of 800 numbers, junk mail attacks, publishing of personal contact information for everyone in management positions including cellphone numbers, email and snail mail addresses. Maybe even opportunistic vandalism in a car-keying, sugar in the gas tank, potato in the tailpipe, spray-painting "spam sucks" onto windshields, kind of way. Presumably a professional organization could come up with even more nuisance ideas. Maybe a freesite could keep track of the exploits.

Problem is the ISPs

[laffer1]

I think the real problem is the ISPs. Internet service providers have these spammers as customers. Not only the spammers themselves but also the companies they spam for. There is no law that says you have to take a customer. It would be cheaper to not take these customers and save their bandwith.

DDOS attacking is not the answer; taking their network connection is!

Just turn your back on it

[inKubus]

Turn your back on spam. Use the best protection you can, hit delete, change emails once in a while, don't post your primary to suspicious sites or public places. It's pretty each. I don't get a lot of spam.

It's a lot like weather, if you just live with it it's not that bad. I used to get all freaked out about those profiteering on the internet, because I was around a little before it really got commercial (when Mosaic came out and playboy.com started ;))

It's symptomatic of our society--we're a marketing based economy. Almost everyone already has most of what they NEED here in America (food, shelter, medicine, etc.) therefore it's necessary to TEMPT us with things we just WANT and the essence of marketing is WANT. Need doesn't require extensive marketing to match up potential customers, they come looking for you.

Turn your back on spam and all marketing, don't buy into it if you want it to go away. But you should know just by looking at your friends and relatives that it's not going to go away. Everyone buys something because of a brand name or something like that. Nike shoes, Pepsi Cola, pft. We are all part of the problem so we can't really complain.

However, what I didn't like especially about your post was the comment about getting "lawmakers" involved. Ahem, what you are saying is taking the greatest invention furthering freedom of expression and thought and speech since the printing press and REGULATING it because you don't want to delete a few emails?! The price you pay for freedom is high isn't. You poor thing, having to suffer for like 2 or 3 minutes a day sorting through your email.

WE CAN'T WIN THIS WAR. Just like we can't "WIN" the "War on Fear" as I like to call the current stance of the U.S. Law Enforcement/Miltary/Political triumverate. This isn't a war on "Spam", this is a war on "Annoyance." You might as well start writing letters to your congressperson so maybe they can make it illegal for people to talk on a cell phone in a public place or, how about this, have a dog that barks or a rice burner with a loud stereo.

That's all annoying stuff but guess what, WE PUT UP WITH IT. We're ADULTS and it's just a part of life. If you let every little nitpicking thing get to you then you will die a nervous wreck!

Spam, as I see it, is just an annoyance.

What I DON'T like is Spyware. THAT'S a legitimate thing to declare war on. It invades your computer, sends your private information to others, makes a computer unusable, sends your web browser to it's own pages. That's an INVASION.
Annoyances, well.. I can live with those.

Please don't get the law involved with annoyances. Or next thing you know, they'll take your dog away. Then your computer, so you can't annoy me with your silly wars.

Re:That's exactly what they want!

[sumdumass]

Hmmm.. an interesting approach.

force them to invest in bigger servers, new software and more license, and even more bandwidth, then stop ordering and watch them go bankrupt.

I wonder who will go broke first?